Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Flashpoint warns of a new business email compromise campaign targeting organizations in various industries with the aim of harvesting credentials.

A business email compromise campaign emanating out of Western Africa is targeting companies in a wide swathe of industries, bucking a trend of these scams focusing on wire fraud and targeting CEOs.

The criminals are using phishing emails with links redirecting victims to sites designed to harvest corporate email credentials.

Researchers at Flashpoint said it’s likely one individual or a small group working together on each phase of the attacks, which date back likely to before March and were still active as of Aug. 8. The researchers saw emails targeting large retail organizations, universities, software and tech companies, engineering, real estate companies and churches.

“These waves of emails are customized per organization, which is why we think it’s one individual or a small group because of the way the file structure is set up and the overlapping domains,” said Ronnie Tokazowski, senior malware analyst at Flashpoint.

He added that so far, the attackers have sent 73 PDFs with redirect links, and of those 73, Flashpoint was able to identify 70 unique URIs and 29 domains involved.

“We’re thinking it was email credentials they were targeting,” Tokazowksi said. Once the attackers have access to a victim’s email, they’re able to send additional phishing emails to contacts and target other organizations, Tokazowksi said.

Like most BEC campaigns, this one is fairly low-tech, relying instead on convincing social engineering to achieve its goals. While these attacks overall are progressing in sophistication, most still opt not to use malware or exploits for example, meaning the attacks avoid detection by antimalware and intrusion detection systems.

Another commonality among BEC campaigns is the targeting of executives in the hope of luring them into making fraudulent money transfers. This one, however, is much more scattered.

“The emails we saw were widely spread out, targeting anyone [in an organization],” Tokazowski said. “There’s no correlation between the targets other than throwing something out there hoping it sticks. This is very widespread, broad targeting.”

When the PDF is opened, it presents the victim with a prompt to view a secure document online. The prompt redirects the victim to a phishing site where there are several options available to download the alleged file. The user is prompted to enter their credentials, and once they do, the script redirects them to a document or webpage owned by the targeted organization, Flashpoint explains in a report published today.

Once the criminals harvest valid credentials, they can continue to pivot out and send additional emails to contacts who would view the messages as coming from a trusted source. They could also monitor the victim’s inbox for additional valuable information, Flashpoint said.

Despite the lack of technical sophistication, losses from BEC dwarf those attributed to ransomware. The FBI in May said that fraud and phishing due to BEC grew 2,370 percent from 2015 and led to $5.3 billion in losses since late 2013. Wire transfers are the primary vehicle for fraud in these schemes, the FBI said.

“If someone targeted me with this, it’s not something I would click. But with $5 billion in losses, these have to be convincing to someone,” Tokazowski said. “Going to a website that has a secure document with your company names adds an extra level of legitimacy to it. If it’s coming from a known organization or large entity out there, that adds more trust to the document.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.